Routes installed on T0 gateway despite the attached deny prefix list for the subnet
search cancel

Routes installed on T0 gateway despite the attached deny prefix list for the subnet

book

Article ID: 406568

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Routes getting installed in the T0 gateway despite the deny prefix list present for the subnet as below:



  • The route for the subnet 172.16.20.0/24 as defined in the prefix list will get denied with below log:
    2025-07-17T16:44:14.188Z edge bgpd 3226389 - - x.x.x.x rcvd UPDATE about 172.16.20.0/24 IPv4 unicast -- DENIED due to: route-map;
  • But the routes for networks within this subnet will get installed in the routing table.
    For example, 172.16.20.10/32

 

Environment

VMware NSX

VMware NSX-T Data Center

Cause

A rule like deny 172.16.20.0/24 only denies prefixes that are exactly /24, it does not deny longer prefixes (like /32) unless explicitly configured via le (less than or equal).

Resolution

This is an user error.

Workaround:
The prefix list for blocking the whole subnet, and not just the exact subnet, from getting installed in the routing table must be configured with "le" and "ge" modifiers.
The prefix list should be configured as below:

Powered by Wolken Software